b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             DHS Continues to Face Challenges in the \n\n              Implementation of Its OneNet Project \n\n\n\n\n\nOIG-11-116                                      September 2011\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                   September 28, 2011\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the DHS\xe2\x80\x99 management of the\nconsolidation of its wide area network, known as OneNet. It is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observations, and a\nreview of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary .............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................5 \n\n\n     Progress Made in Implementing OneNet .......................................................................5 \n\n\n     Improvements Needed for Transition to the OneNet .....................................................7 \n\n     Recommendations ........................................................................................................11 \n\n     Management Comments and OIG Analysis ................................................................11 \n\n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................13 \n\n     Appendix B:           Management Comments to the Draft Report .......................................14 \n\n     Appendix C:           Major Contributors to this Report ........................................................15 \n\n     Appendix D:           Report Distribution ..............................................................................16 \n\n\nAbbreviations\n     AHRP                  Application Hosting Reverse Proxy\n     CBP                   U.S. Customs and Border Protection\n     CIO                   Chief Information Officer\n     CONOPS                Concept of Operations\n     DHS                   Department of Homeland Security\n     DOD                   Department of Defense\n     EOC                   Enterprise Operations Center\n     FEMA                  Federal Emergency Management Agency\n     FLETC                 Federal Law Enforcement Training Center\n     FY                    fiscal year\n     HAG                   High Assurance Gateway\n     HQ                    headquarters\n     ICE                   U.S. Immigration and Customs Enforcement\n     IPv6                  Internet Protocol Version 6\n     ISA                   interconnection security agreement\n     IT                    information technology\n     ITP                   Information Technology Infrastructure Transformation Program\n     LCCE                  life cycle cost estimate\n     MOA                   memorandum of agreement\n     MPLS                  Multiple Protocol Label Switching\n     NOC                   Network Operations Center\n     OIG                   Office of Inspector General\n     OCIO                  Office of Chief Information Officer\n\x0cOMB     Office of Management and Budget\nPEP     Policy Enforcement Point\nROI     return on investment\nRTIC    redundant trusted Internet connection\nSOC     Security Operations Center\nTIC     Trusted Internet Connection\nTSA     Transportation Security Administration\nUSCIS   United States Citizenship and Immigration Services\nUSCG    United States Coast Guard\nUSSS    United States Secret Service\nVPN     virtual private network\nWAN     wide area network\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                    In 2005, the Department of Homeland Security began to\n                    consolidate and transform its existing individual component\n                    networks into a single world-class information technology\n                    infrastructure. To achieve this goal, the OneNet Infrastructure, an\n                    enterprise-wide integrated information technology network, was\n                    created. The goal of OneNet is to create a reliable, cost-effective\n                    information technology infrastructure platform that supports the\n                    ability to share data among components. We reviewed the\n                    Department\xe2\x80\x99s efforts to consolidate component networks to\n                    OneNet. Our objective was to determine the progress the\n                    Department is making in meeting its OneNet objectives.\n\n                    The Department has made some progress toward consolidating the\n                    existing components\xe2\x80\x99 infrastructures into OneNet. Specifically, it\n                    has established a centralized Network Operations Center/Security\n                    Operations Center incident response center. Further, components\n                    are signing memorandums of agreement and converting their sites\n                    to the Multiple Protocol Label Switching architecture in\n                    accordance with OneNet requirements. Finally, the Department\n                    has established the redundant trusted Internet connection that\n                    provides a redundant network infrastructure and offers essential\n                    network services to its components.\n\n                    However, the Department needs to make a number of\n                    improvements in order to implement the OneNet architecture.\n                    Specifically, it needs to establish component connections (peering)\n                    to OneNet and ensure that all components transition to the\n                    redundant trusted Internet connection. Further, it needs to\n                    complete required project management documents, and update\n                    interconnection security agreements.\n\n                    We are recommending that the Department of Homeland Security\n                    Chief Information Officer complete the transition and connection\n                    (peering) of the components and develop and implement key\n                    planning documents and applicable agreements to OneNet.\n\n\n\n\n         DHS Continues To Face Challenges in the Implementation of Its OneNet Project \n\n\n                                            Page 1\n \n\n\x0cBackground\n                           On July 31, 2005, the Department of Homeland Security (DHS)\n                           approved the charter for the Information Technology Infrastructure\n                           Transformation Program (ITP). The ITP represents the\n                           Department\xe2\x80\x99s full-scale move toward a DHS-consolidated\n                           information technology (IT) infrastructure supporting the cross-\n                           organizational missions of protecting the homeland, deterring\n                           crime, detecting and countering threats, and myriad other\n                           responsibilities. As part of the process, DHS began to consolidate\n                           its components\xe2\x80\x99 existing infrastructures into a single wide area\n                           network (WAN), known as OneNet.\n\n                           The Department\xe2\x80\x99s goal for OneNet is to facilitate the ability of all\n                           DHS components to share data by integrating component networks\n                           into a single network. To achieve this goal, DHS selected U.S.\n                           Customs and Border Protection (CBP) as the network services\n                           steward to maintain and operate OneNet and its original legacy DHS\n                           Core Network. As the network steward, CBP is responsible for\n                           developing and coordinating with other components to consolidate\n                           their existing infrastructures with OneNet. Next, components\n                           converted their sites to the Multiple Protocol Label Switching\n                           (MPLS)1 technology to provide DHS networks with enhanced\n                           redundancy, survivability, and reliability. Finally, DHS adopted a\n                           multilayered security approach by creating the Enterprise\n                           Operations Center (EOC), consisting of the Network Operations\n                           Center (NOC) and the Security Operations Center (SOC).\n\n                           The concept of OneNet is to provide network segmentation\n                           between components to protect mission-critical information. To\n                           encourage an enterprise network solution throughout, DHS\n                           established Trust Zones to protect component data that cannot be\n                           shared with other components. Policy Enforcement Points (PEPs)\n                           were established to protect the security policy of the Trust Zones\n                           and allow for the sharing of services and information among the\n                           components. Figure 1 illustrates component Trust Zones and their\n                           respective connections to OneNet.\n\n\n\n\n1\n MPLS is an architecture for fast packet switching and routing that provides the designation, routing,\nforwarding, and switching of traffic flows across a network through the use of simple, fixed-length labels.\n\n\n\n               DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                                   Page 2\n \n\n\x0c                                                                                      ICE T\n                                                                                          Trust\n                                                                                           rust          TSA\n                                                                                        Zone\n                                                                   TSA                          CBP Trust Zone\n                                                                Trust Zone                   Trust Zone                 FEMA\n                                                                                                                      Trust Zone\n\n\n                                                                                                                                          Remote\n                                                                                                                                          Access\n                                        S&\n                                         &T\n                          DN\n                           ND O         Sub\n                           Sub                     I&\n                                                    &A\n                                        Zone\n                                          ne\n                          Zone\n                             ne                   Sub\n                                                                                                                                               Internet\n                   NPPD\n                                                  Zone\n                                                     ne\n                                                                                                                     RTIC\n                    Sub\n                   Zone\n                     ne\n                                   DHS-HQ                                      PEP                 PEP                                              Extranet\n                                  Trust Zone\n                   OIG\n                   Sub\n\n                                                                                     OneNet                                         Partner\n                   Zone\n                     ne\n                                                US Visitt\n                           OP\n                            PS\n                                                 Sub                                                                               Networks\n                                       IT\n                                        TO       Zone\n                                                   ne\n                           Sub\n                                      Sub\n                           Zone\n                             ne\n                                      Zonne\n                                          e\n\n\n\n\n                                                                                                                                               US-CIS\n                                     USSS                                                                                                     Trust Zone\n                                   Trust Zone\n                                                                                                                 ICE Trust Zone\n                                                             FLETC                     USCG\n                                                            Trust Zone               Trust Zone\n\n\n\n\n                                  Figure 1. Trust Zone Model\n\n                                  DHS also implemented the Office of Management and Budget\xe2\x80\x99s\n                                  (OMB\xe2\x80\x99s) Trusted Internet Connection (TIC) initiative as part of the\n                                  OneNet project. The TIC initiative helps to improve the\n                                  government\xe2\x80\x99s security posture and incident response capability by\n                                  reducing and consolidating the number of external connections.\n                                  To comply with the OMB TIC initiative, DHS created the DHS\n                                  redundant trusted Internet connection (RTIC).2 With the exception\n                                  of the United States Coast Guard (USCG), all components must\n                                  route their Internet traffic through the RTIC. USCG, as a branch\n                                  of the armed forces, has been approved to use the Department of\n                                  Defense (DOD) network to access the Internet. The RTIC\n                                  provides four standard services:\n\n                                                Outbound Internet \xe2\x80\x93 Public Internet access for the DHS\n                                                community that is secure and policy controlled;\n                                                Application Hosting \xe2\x80\x93 Infrastructure for the secure hosting\n                                                of DHS resources, applications, servers and Web services\n                                                to the public user community;\n                                                Remote Access Virtual Private Network (VPN) \xe2\x80\x93 Secure\n                                                remote access for DHS personnel to access mission-critical\n                                                resources from remote locations, home, or designated\n                                                disaster sites; and\n\n\n\n\n2\n The DHS redundant trusted Internet connection is a certified and accredited DHS system operating in the\ntwo DHS data centers.\n\n\n\n               DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n\n\n                                                                     Page 3\n\n\x0c                                             Extranet Connections \xe2\x80\x93 Secure infrastructure for direct\n                                             encrypted connection to participating government agencies\n                                             and the commercial and trade community.\n\n                                Figure 2 illustrates the RTIC services and connection to OneNet.\n\n\n                                  Extranet\n\n\n                        VPN\n\n                                                            RTIC\n                                                                           OneNet\n                     Internet\n                                                                                                    Components\n\n\n\n                    Application\n                     Hosting\n\n\n\n\n                                Figure 2. OneNet Diagram With RTIC Services\n\n                                The OneNet life cycle cost estimate (LCCE) is $704 million per\n                                the 2011 Network Services LCCE. The project\xe2\x80\x99s capital\n                                investment estimates were made on the assumption that 3,759 sites\n                                will be transitioned from component legacy WANs to OneNet by\n                                fiscal year (FY) 2015. The project includes the procurement of\n                                hardware (routers and switches), software (intrusion detection),\n                                and engineering services (capacity management).\n\n                                In 2005, the DHS OneNet project had a projected return on\n                                investment (ROI) of 192% over a 10-year period. In 2011, DHS\n                                revised the OneNet\xe2\x80\x99s projected ROI downward to 67.3% over 10\n                                years. According to the ITP program director, a number of OMB\n                                and DHS mandates have increased the operating and maintenance,\n                                and capital investment costs of the OneNet project. Specifically,\n                                increased costs to implement the RTIC, PEPs, and Internet\n                                Protocol Version 6 (IPv6)3 contributed to the lower ROI for the\n                                project (see figure 3).\n\n\n\n\n3\n  Because the current Internet protocol (Internet Protocol Version 4) has run out of addresses, agencies need\nto transition to IPv6. IPv6 will support a practically unlimited number of addresses worldwide.\n\n\n\n\n               DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                                        Page 4\n \n\n\x0c                                                           ROI Projections \n\n                                                    300%\n\n\n\n\n                        Percent of Return\n                                                    200%\n                                                    100%\n                                                      0%\n                                                   -100%\n                                                   -200%\n                                                                                    Total\n                                                                   2005   2010\n                                                                                   change\n                                            ROI Projections        192%   67.30%   -124.70%\n\n\n                    Figure 3. OneNet Return on Investment\n\n\nResults of Audit \n\n     Progress Made in Implementing OneNet\n           DHS continues to make progress toward achieving its OneNet goals.\n           Specifically, DHS has established a centralized NOC/SOC incident\n           response and reporting capability in order to manage the network and\n           resolve computer and network issues. Additionally, DHS components\n           continue to be actively involved in supporting the transition to OneNet by\n           signing memorandums of agreement (MOAs) and converting their sites to\n           MPLS architecture. Finally, in June 2009, DHS established the RTIC to\n           provide essential network services to DHS components.\n\n                    Centralized NOC/SOC Services\n\n                    DHS developed a NOC/SOC architecture consisting of a\n                    centralized NOC/SOC and several component-level subordinates.\n                    The central or Enterprise SOC and NOC provide management\n                    services and oversight of the DHS OneNet. Each component\n                    NOC/SOC is responsible for its individual watch areas or Trust\n                    Zones. The DHS Enterprise NOC/SOC provides guidance and\n                    coordination for component NOC/SOCs, which perform the\n                    majority of network and security incident monitoring and\n                    detection. The EOC manages the resolution of security network\n                    incidents in the corresponding domains of responsibility, network\n                    functionality, and security.\n\n\n\n\n         DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                                              Page 5\n \n\n\x0c                            Component Progress\n\n                            DHS components are also making progress in moving to the\n                            OneNet architecture. For example, all but three of the nine DHS\n                            components have signed MOAs with CBP to obtain network and\n                            security services. As the OneNet steward, CBP has elected not to\n                            prepare an MOA. MOAs are important because they identify the\n                            terms and conditions covering the services DHS will provide to\n                            components through OneNet. The MOAs include information on\n                            all OneNet core devices such as the Network Switching Nodes,\n                            policy enforcement points, RTICs and WAN devices. Table 1\n                            provides the status of component MOAs.\n\n                            Table 1. Component Status of MOA\n                               Component        Signed MOAs         No MOAs\n                              CBP                                       X\n                              DHS HQ                  X\n                              FEMA                    X\n                              FLETC                   X\n                              ICE                     X\n                              USCIS                   X\n                              TSA                                        X\n                              USCG4                   X\n                              USSS                    X\n\n\n                            Additionally, all components have converted their sites to the\n                            MPLS architecture. The MPLS technology enables DHS and its\n                            components to read and access the audit trails captured on firewall\n                            and intrusion detection devices.\n\n                            RTIC Improvements\n\n                            The RTIC is a redundant network infrastructure that provides\n                            essential OneNet services (Internet, extranet, VPN, and application\n                            hosting) to support all DHS components. In FY 2009, DHS\n                            installed the second RTIC at Data Center Two in Clarksville,\n                            Virginia; the first is located in Data Center One in Stennis,\n                            Mississippi. The addition of a second trusted Internet connection\n                            creates an infrastructure that is housed at two high-availability,\n                            totally redundant and geographically diverse data centers. It was\n                            built using a flexible framework, industry best practices, DHS\n                            system engineering life cycle process, and National Institute of\n\n4\n    USCG is exempt from the OneNet migration efforts because it uses the DOD network.\n\n\n\n                 DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n\n\n                                                    Page 6\n\n\x0c              Standards and Technology guidelines. The RTIC employs a\n              layered approach that provides a high level of security, monitoring,\n              and accountability, as depicted in figure 4.\n\n\n\n                                           Intrusion Detection\n                                            Systems/ Intrusion            Data Loss\n                      Firewalls            Protection Services           Prevention\n\n\n\n              Figure 4. Layered Approach of the RTIC\n\n              The RTIC also provides a redundant path, using multiple carrier\n              vendors, to provide adequate security protection controls\n              commensurate with the security requirements of the services\n              provided.\n\n              DHS has made several improvements to the RTIC at both\n              locations. Currently, it is planning and implementing cyber-\n              security enhancements known as the High Assurance Gateway\n              (HAG) and the Application Hosting Reverse Proxy (AHRP). HAG\n              will allow the components to access information in a secure virtual\n              environment, providing access to social media sites or otherwise\n              prohibited contents sites that they currently cannot access. HAG\n              also allows users (components) to browse the Internet through an\n              enhanced firewall or a virtually hosted environment that helps to\n              protect the user\xe2\x80\x99s workstation from malicious attempts to infiltrate\n              the system. AHRP will enable components that cannot afford to\n              move their applications to either of the two data centers to run\n              these applications remotely from their legacy data centers. AHRP\n              will also provide application layer access to Web and application\n              servers.\n\nImprovements Needed for Transition to the OneNet\n     DHS needs to make a number of improvements to ensure transition to\n     OneNet. Specifically, DHS and CBP need to\xe2\x80\x94\n\n              Complete the establishment of component connections (peering) to \n\n              OneNet; \n\n              Ensure that all components transition to the RTIC; \n\n              Complete required project management documentation; and \n\n              Update interconnection security agreements.\n \n\n\n\n   DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n\n\n                                      Page 7\n\n\x0c           Peering to OneNet Is Not Complete\n\n           All DHS components must be peered (connected) to OneNet in\n           order for each component\xe2\x80\x99s transition to be complete. Sites peered\n           to OneNet represent the number of sites associated with the OneNet\n           domain. At present, only two components have peered all of their\n           sites to OneNet, and the remaining seven components identified the\n           lack of PEPs as the primary reason for their delayed transition to\n           OneNet. PEPs support controlled cross-communication between\n           component Trust Zones, as shown in figure 5.\n\n\n\n        ICE Trust Zone                                                            TSA Trust Zone\n\n\n                               Policy Enforcement Point (PEP)\n\n\n\n\n             Firewall    IIntrusion\n                           ntrusion   Packet\n                                      Packet       Data\n                                                   Data    Outbound\n                                                           Outbound   Malware\n                                                                      Malw are     Firewall\n                         Detection    Capture      Loss     Proxy     Detection\n                           System               Prevention\n\n\n\n\n           Figure 5. Components of Policy Enforcement Points\n\n           DHS components have established different and unique levels of\n           IT security policies, along with PEPs to enforce these policies. In\n           response, DHS\xe2\x80\x99 OneNet project management team revised its\n           originally planned infrastructure to meet the components\xe2\x80\x99 mission\n           driven needs and requirements. DHS Sensitive Systems Policy\n           Management Directive 4300A and the corresponding handbook\n           were also revised in FY 2009 to include requirements for PEPs in\n           OneNet services. Finally, DHS\xe2\x80\x99 security architecture was revised\n           to require that PEPs be implemented to separate the Trust Zones.\n\n\n\n\nDHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                       Page 8\n \n\n\x0c           Transition to the RTIC Is Not Complete\n\n           Not all DHS components have completely transitioned to the\n           RTIC. As of February 2011, two components\xe2\x80\x94the Federal Law\n           Enforcement Training Center (FLETC) and DHS headquarters\xe2\x80\x94\n           have completed transition (see table 2). Three of the remaining\n           seven components have signed waivers with extension dates until\n           2012 to defer their transition to the RTIC. The Transportation\n           Security Administration (TSA), United States Citizenship and\n           Immigration Services (USCIS), and United States Secret Service\n           (USSS) have not completed their respective transitions and waivers\n           have not been granted. Waivers are required because RTIC\n           services are mandated by OMB. USCG is exempt because it has\n           elected to use the DOD network.\n\n           Table 2. Component Status on RTIC Transition\n\n             Components       Completed        Signed Waivers      No Waivers     Exempted\n            CBP                                      X\n            DHS HQ                 X\n            FEMA                                     X\n            FLETC                  X\n            ICE                                      X\n            USCIS                                                       X\n            TSA                                                         X\n            USCG                                                                     X\n            USSS                                                        X\n\n           All components except USCG must route all Internet traffic\n           through the RTICs.\n\n           DHS Has Not Developed Several Key Planning Documents for\n           the OneNet Project\n\n           DHS has not developed several key planning documents for the\n           overall OneNet project. Specifically, DHS has not prepared a\n           Concept of Operations (CONOPS) for the OneNet and the RTIC\n           projects. DHS did develop an ITP Program CONOPS that\n           provides a brief and limited description of how DHS expects to\n           plan and develop its network services infrastructure under OneNet.\n           According to DHS Management Directive 102-01, Revision 01,\n           Section 5, a CONOPS describes how DHS components would use\n           the desired capability to fulfill its operations.\n\n\n\n\nDHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                   Page 9\n \n\n\x0c           Additionally, DHS has not updated and revised its project\n           management plan to reflect the added OMB mandates and\n           cybersecurity enhancements. The most recent project plan for\n           OneNet, Version 1.6 (dated March 2011), did not include an\n           integrated project master schedule; work breakdown structure; or\n           information on the RTICs, PEPs, and cybersecurity devices.\n           According to the DHS interim System Engineering Life Cycle\n           Guide, Version 2.0, Appendix B of the Acquisition\n           Instruction/Guidebook 102-01-001, an integrated master schedule\n           should include project resourcing, discrete work packages, internal\n           and external dependencies, and critical paths. The development\n           and approval of key planning documents is essential to the success\n           of a project this size. Management should ensure that all planning\n           documents are finalized and approved.\n\n           Interconnection Security Agreements Are Needed\n\n           DHS requires that all interconnections to DHS OneNet be\n           documented using an interconnection security agreement (ISA).\n           Components must complete a master ISA, which includes all\n           transitioning systems, as part of their initial OneNet transitions.\n           According to DHS Sensitive Systems Policy, an ISA should be\xe2\x80\x94\n\n                    Described in sufficient detail to serve as a sound basis for\n                    approving a system-to-system connection;\n                    Signed by the authorizing official prior to operating the\n                    associated connection;\n                    Established in accordance with National Institute for\n                    Standards and Technology Special Publication 800-47;\n                    Required whenever the security policies of the\n                    interconnected systems are not identical or the systems are\n                    not administered by the same entity/authorizing official;\n                    Reissued every 3 years or whenever significant changes\n                    have been made to any of the interconnected systems; and\n                    Reviewed by component personnel as part of the annual\n                    Federal Information Security Management Act of 2002\n                    self-assessment.\n\n           However, OneNet ISAs are not current for all components.\n           Specifically, three DHS components (Federal Emergency\n           Management Agency [FEMA], DHS headquarters [HQ], and\n           USSS) did not have OneNet ISAs, three components (TSA,\n           FLETC, and USCG) had expired ISAs, and three components\n\n\n\n\nDHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                  Page 10\n \n\n\x0c           (Immigration and Customs Enforcement [ICE], CBP, and USCIS)\n           had current signed ISAs (see table 3).\n\n           Table 3. ISAs Received per Component\n            Components        Current Signed ISAs       Up for Renewal       No Documents\n           TSA                                                 X\n           USSS                                                                   X\n           USCG                                                 X\n           FEMA                                                                   X\n           ICE                          X\n           FLETC                                                X\n           CBP                          X\n           HQ                                                                     X\n           USCIS                        X\n\n\n           ISAs should be prepared between DHS and each component and\n           between each component and its trade partners.\n\n\n  Recommendations\n           We recommend that the DHS Chief Information Officer:\n\n           Recommendation #1: Complete the transition and connection\n           (peering) of components to OneNet.\n\n           Recommendation #2: Develop, approve, and implement key\n           planning documents, network service agreements, and\n           interconnection security agreements.\n\n\n  Management Comments and OIG Analysis\n           We obtained written comments on a draft of this report from the\n           DHS Office of Chief Information Officer (OCIO). We have\n           included a copy of the comments in their entirety in appendix B.\n           Generally, the OCIO agreed with our findings and\n           recommendations.\n\n\n\n\nDHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                  Page 11\n \n\n\x0c           Recommendation #1\n\n           The OCIO concurs with Recommendation 1. The OneNet project\n           team is working with each component to complete migrations and\n           associated projects. This recommendation will remain open until\n           the OCIO provides documentation to support that corrective\n           actions are completed.\n\n           Recommendation #2\n\n           The OCIO concurs with Recommendation 2. The OneNet project\n           team plans to update and revise its project management plan and\n           develop a CONOPS. Additionally, the OneNet team will complete\n           and update all MOAs and ISAs. This recommendation will remain\n           open until the OCIO provides documentation to support that\n           corrective actions are completed.\n\n\n\n\nDHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                  Page 12\n \n\n\x0cAppendix B\nPurpose, Scope, and Methodology\n\n                      The objective of our review was to determine the progress that DHS\n                      has made in consolidating components\xe2\x80\x99 existing infrastructure into\n                      the OneNet project. Specifically, we determined whether (1) DHS\n                      achieved its program management goals and target milestones for\n                      OneNet; (2) DHS and its components experienced any cost savings\n                      with the implementation of OneNet, and (3) DHS adequately\n                      addressed security concerns over OneNet.\n\n                      We interviewed selected personnel at DHS headquarters and\n                      components facilities in the Washington, DC, area. In addition, we\n                      reviewed and evaluated DHS security policies and procedures,\n                      OneNet project plans and security architecture, the ITP charter,\n                      and other appropriate documentation.\n\n                      We conducted this audit between February and June 2011 pursuant\n                      to the Inspector General Act of 1978, as amended, and according\n                      to generally accepted government auditing standards. Those\n                      standards require that we plan and perform the audit to obtain\n                      sufficient, appropriate evidence to provide a reasonable basis for\n                      our findings and conclusions based upon our audit objectives. We\n                      believe that the evidence obtained provides a reasonable basis for\n                      our findings and conclusions based upon our audit objectives.\n                      Major OIG contributors to the audit are identified in appendix D.\n\n                      The principal OIG points of contacts for the evaluation are Frank\n                      Deffer, Assistant Inspector General, Office of Information\n                      Technology, at (202) 254-4041 and Sharon Huiswoud, Director\n                      Information Systems Audit Division, at (202) 254-5451.\n\n\n\n\n           DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                             Page 13\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                                     Lr-\'-_"O-\'-\'_\n                                                                                     .\'...._ oc ",\'"\n\n\n                  S\xc2\xa3P 0i     Ian                                                     Homeland\n                                                                                     Security\n         MEMORA~DU\'>lFOR\'                 Fnlnillefi<.t\n                                          ."\'\';\'\'Illl! In,~o< Goneco.l 10< 1\'I Auei"\n                                          Ri,hudA. S,il\'<, ~\n                                          Chiof joform>ti~d\xe2\x80\xa2\xe2\x80\xa2:: _\n\n         SUBJECT\'                         OJG\xc2\xb7ll.{l4(l.ITA\xc2\xb7),jGMT, rJHS C~oti""\'S \'" f"", C..,II,.p"          in Jh,\n                                          l",pI,,,,,"\'atkm of i" o...N" hoj.",\n\n         \'I ht llepartm<\xe2\x80\xa2.<of Ilo""hnd s.<l>i<)\' (Ill IS, Off"" oltho Co,efJnfo",ution O\'-lie". (OCIOj has\n          "",....0<1 Ill< f.nd.n~ oftl>< dJ,ft OffICe of tk I n , _ Gene,,] (OIG) Rqon 11-040\xc2\xb7ITA\xc2\xb7\n         MG-Ml, IJJ/S COIlti",,,,, \'0   f()(:.   CI>aU""" \'" ,n,. I",pi,,,","\'_ of~\xc2\xb7< O\xc2\xbbo,~." P,oj\'ct. ",k,~",,1\n         Jul)\' 2g, 2\'lll. OCIO\'"",poo"" 10 OlG\', <tm\\ ""o","\'C"d.>tion, Me ~ f"l~"....~,\n\n         II""om."n4otion ~J: Co\'"riele ,r" .... "\';00 :nl C<lnnectiOll ipc~) of oompo<>.--nt, \'" On;;l\'ct.\n\n         1lI1~   ll.. j>lI\xe2\x80\xa2 ..., A.go" IDlI: DelO 00Ilrut:S.\n\n         Tt~ Onel<et project ""\'1>g\'D"\'" t<>rn i\' "Qrl<jr.~ "\'i:h =h Ccmpol>CIlt \'" C<l"\'pIc1c milO"1k>n.1 onJ\n         ...od,t<d proj\xc2\xabto, "\'ch .. til< Policy Enfcrcomc\'" Pob" (PEP.) ..-.d Ro\\"CnC Prox}\', wJudi ..ill\n         ..,;" Component rnii!\'l\'tlo= CICIO ha, tarl\'t\xc2\xabl tIIC >erorol <u>rWr "fF}" 2012 fox c",\'pl<ti"ll oll\n         tramition lID:! "\'\'"\'\'\'\'"\'ti;m of Cornpon<n\'" to OoI:I\\\'e1.\n\n         R..omm\'n401i\\HI ~l: De""lop. "j\xc2\xa50"\', 0l:IIl implctn<ot l:cy planniow do<LIII\'.lO, .......\xc2\xb7or. ,en\'i",\n         ogre<1nellto, aM intcroonocctio. "c,,,IIi.,.. o17<crncots,\n         DH~     rtlponoe, An=nn lOll: UCiO ooncun,\n         The 0",1\'001 Prnj<cr T=n ,.ill updatc on;! rcrisc ito pr<Ji\xc2\xabt """"\'1= pI,n "\' ,d,," c\'Uffi"lJl\n         UMII    nw>d"", ...\n                          --.I c~\'t>crncoun\')\' cnI-\'=="lt\', llr r<"is<d rlao ....ill incl"\'" "" lnI"l1rolooJ proj<:\'1\n         mast",   ","\'dol,\n                         tha1 ,cl1<ct, projoo r<>oor<ifll, di=.1e      "Of\' _l.\xc2\xa5\',    ;,11<m:IJ on4 ""1e""\'1\n                                                                                  ;.r""""ioo "" \'\'\'\'\n         dqlcn<!"",i"" on4 crilicol p,lli.>, Hc ,,,.;,.,,] pion ..-ill .\'" ir<ol..J<                  RTIC\xe2\x80\xa2\xe2\x80\xa2 PEP"\n         aM oll \')\'\\><"""un\')\' do\xc2\xa5\'"-",, OCJO boo ""~et<d lh< fi\'" ~ ....rt<t of 1\'1>"", Y.... (I\'Y) 2m 2 fo\'\n         c"mr\',"n~ II>< ,evi.,.j On<\'1", f"Oicct .. ~"""\'"\' f\'l""-\n\n         Tho 0rr<1<<I "\'"\'" .. ill ,I", ,omplete .nd updlll< all \\t<lI"IOI\'>I1d. of A~IHf1le""(MOM) bet..~rn\n         IJIlS ..,j "",h Cem"",","t, ond ,]1 1nt<f<<<U>eCtloo s.c."ity Al:"""l""" (lSA,) Ixt"",," \xe2\x80\xa2 ..,h\n         C ~ t <Uld j", lrOde ;wtn<". 0<:10 110, WI""\'" 11-0< fi\'" q""""r of n\' 2012 for compk1in~ and\n         up:!otina 011 MOA, ... ISA,.\n\n         A<id~l"""ll)\',\n                      <he 0n0\'J.. t<<IIn "ill d,...l"" \xe2\x80\xa2 Conocr< ofOpcntion\' (CO\'lOPS) f,~ o".,\xc2\xbbfet \'ha\n         iodndc, the ki:<!und4nl TNlt\xc2\xabllnt<>T.\'" C""ocction <RTIC) ..pal>il~y onil """ "\'""nlo:, hoC",\n         Coml"J\'l<\'" ....,Ill "\'" \'Il< c\'I"\'l\'H,y w fol fill Lh.;- "I""";\'\'\'\'\' ocm I... L<r~""\'<l ~"\' ><c"".1 ~"""",.\n         ufFY WI2 \'"" """\'plel;n~ <h< COI<OI\'S\n\n\n\n\n           DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                                       Page 14\n \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n                      Sharon Huiswoud, IT Audit Director\n                      Sharell Matthews, IT Audit Manager\n                      Beverly Dale, Team Leader\n                      Anthony Nicholson, Senior IT Auditor\n                      Robert Durst, Senior Program Analyst\n                      Frederick Shappee, Program Analyst\n                      Swati Nijhawan, Referencer\n\n\n\n\n           DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                             Page 15\n \n\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Chief Information Officer\n                      Deputy Chief Information Officer\n                      CIO Audit Liaison\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n           DHS Continues To Face Challenges in the Implementation of Its OneNet Project\n \n\n\n                                             Page 16\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'